[jira] [Created] (RANGER-4134) Policy Condition Enforcement is not happening if different policy condition is applied for same user in Allow policy items

[Anupam Rai (Jira)]

Anupam Rai created RANGER-4134:
----------------------------------

             Summary: Policy Condition Enforcement is not happening if 
different policy condition is applied for same user in Allow policy items
                 Key: RANGER-4134
                 URL: https://issues.apache.org/jira/browse/RANGER-4134
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Anupam Rai


Policy Condition Enforcement is not happening if different policy condition is 
applied for same user in Allow policy items.

Steps to reproduce :
Ranger default evaluator : 
[RangerHiveResourcesAccessedTogetherCondition|https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesAccessedTogetherCondition.java],[RangerHiveResourcesNotAccessedTogetherCondition|https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerHiveResourcesNotAccessedTogetherCondition.java]

1. Create a policy with as below policy items :
{code:java}
"policyItems": [
  {
    "users": [
      "XXXXXX"
    ],
    "conditions": [
      {
        "type": "not-accessed-together",
        "values": [
          "db.table.col1",
          "db.table.col2"
        ]
      }
    ],
    "accesses": [
      {
        "type": "select",
        "isAllowed": true
      }
    ]
  },
  {
    "users": [
      "XXXXX"
    ],
    "conditions": [
      {
        "type": "not-accessed-together",
        "values": [
          "db.table.col1",
          "db.table.col3"
        ]
      }
    ],
    "accesses": [
      {
        "type": "select",
        "isAllowed": true
      }
    ]
  }
] {code}
3. Now try accessing table columns on beeline as 

select col1,col2 from db.table;

select col1,col3 from db.table;;

Expected : User should be denied for these access able column when tried 
accessing together 

Actual : User is able to query accessing both column together .
{code:java}
0: jdbc:hive:// select col1,col2 from b.table;
........
INFO  : OK
+-------+-------+
| col1  | col2  |
+-------+-------+
| anup  | 30    |
| abhi  | 26    |
| deep  | 30    |
+-------+-------+
3 rows selected (0.282 seconds)
0: jdbc:hive: select col1,col3 from db.table;
....
INFO  : OK
+-------+-------+
| col1  | col3  |
+-------+-------+
| anup  | rang  |
| abhi  | rang  |
| deep  | rang  |
+-------+-------+
3 rows selected (0.252 seconds) {code}
 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)